net: wifi: shell: add enterprise support for station

Add EAP-TLS, EAP-PEAP-MSCHAPv2, EAP-PEAP-GTC, EAP-TTLS-MSCHAPv2,
EAP-PEAP-TLS, EAP-TLS-SHA256  enterprise wpa2 and wpa3 suiteb
support for station.

Signed-off-by: Rex Chen <rex.chen_1@nxp.com>

doc/connectivity/networking/api/wifi.rst

@@ -38,6 +38,9 @@ module.
     $ cp client.pem samples/net/wifi/test_certs/
     $ cp client-key.pem samples/net/wifi/test_certs/
     $ cp ca.pem samples/net/wifi/test_certs/
+    $ cp client2.pem samples/net/wifi/test_certs/
+    $ cp client-key2.pem samples/net/wifi/test_certs/
+    $ cp ca2.pem samples/net/wifi/test_certs/
     $ west build -p -b <board> samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise.conf
 
 For using variable size network buffer, the following overlay file can be used:
@@ -52,15 +55,11 @@ To initiate Wi-Fi connection, the following command can be used:
 
 .. code-block:: console
 
-    uart:~$ wifi connect -s <SSID> -k 7 -a anon -K whatever
+    uart:~$ wifi connect -s <SSID> -c 149 -k 17 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever --eap-id1 id1 --eap-pwd1 pwd1
 
 Server certificate is also provided in the same directory for testing purposes.
 Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``.
 
-.. important::
-
-    The passphrase for the :file:`client-key.pem`` and the :file:`server-key.pem` is ``whatever``.
-
 .. note::
 
     The certificates are for testing purposes only and should not be used in production.

include/zephyr/net/wifi.h

@@ -68,6 +68,16 @@ enum wifi_security_type {
 	WIFI_SECURITY_TYPE_WPA_AUTO_PERSONAL,
 	/** DPP security */
 	WIFI_SECURITY_TYPE_DPP,
+	/** EAP PEAP MSCHAPV2 security - Enterprise. */
+	WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2,
+	/** EAP PEAP GTC security - Enterprise. */
+	WIFI_SECURITY_TYPE_EAP_PEAP_GTC,
+	/** EAP TTLS MSCHAPV2 security - Enterprise. */
+	WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2,
+	/** EAP PEAP security - Enterprise. */
+	WIFI_SECURITY_TYPE_EAP_PEAP_TLS,
+	/** EAP TLS SHA256 security - Enterprise. */
+	WIFI_SECURITY_TYPE_EAP_TLS_SHA256,
 
 	/** @cond INTERNAL_HIDDEN */
 	__WIFI_SECURITY_TYPE_AFTER_LAST,
@@ -76,6 +86,91 @@ enum wifi_security_type {
 	/** @endcond */
 };
 
+/** @brief EPA method Types. */
+enum wifi_eap_type {
+	/** No EPA  security. */
+	WIFI_EAP_TYPE_NONE = 0,
+	/** EPA GTC security, refer to rfc3748 chapter 5. */
+	WIFI_EAP_TYPE_GTC = 6,
+	/** EPA TLS security, refer to rfc5216. */
+	WIFI_EAP_TYPE_TLS = 13,
+	/** EPA TTLS security, refer to rfc5281. */
+	WIFI_EAP_TYPE_TTLS = 21,
+	/** EPA PEAP security, refer to draft-josefsson-pppext-eap-tls-eap-06.txt. */
+	WIFI_EAP_TYPE_PEAP = 25,
+	/** EPA MSCHAPV2 security, refer to draft-kamath-pppext-eap-mschapv2-00.txt. */
+	WIFI_EAP_TYPE_MSCHAPV2 = 26,
+};
+
+/** @brief Enterprise security WPA3 suiteb types. */
+enum wifi_suiteb_type {
+	/** suiteb. */
+	WIFI_SUITEB = 1,
+	/** suiteb-192. */
+	WIFI_SUITEB_192,
+};
+
+/** @brief Group cipher and pairwise cipher types. */
+enum wifi_cipher_type {
+	/** AES in counter mode with CBC-MAC (CCMP-128). */
+	WPA_CAPA_ENC_CCMP,
+	/** 128-bit Galois/Counter Mode Protocol. */
+	WPA_CAPA_ENC_GCMP,
+	/** 256-bit Galois/Counter Mode Protocol. */
+	WPA_CAPA_ENC_GCMP_256,
+};
+
+/** @brief group mgmt cipher types. */
+enum wifi_group_mgmt_cipher_type {
+	/** 128-bit Broadcast/Multicast Integrity Protocol
+	 * Cipher-based Message Authentication Code .
+	 */
+	WPA_CAPA_ENC_BIP,
+	/** 128-bit Broadcast/Multicast Integrity Protocol
+	 * Galois Message Authentication Code .
+	 */
+	WPA_CAPA_ENC_BIP_GMAC_128,
+	/** 256-bit Broadcast/Multicast Integrity Protocol
+	 * Galois Message Authentication Code .
+	 */
+	WPA_CAPA_ENC_BIP_GMAC_256,
+};
+
+struct wifi_cipher_desc {
+	/** Cipher capability. */
+	unsigned int capa;
+	/** Cipher name string. */
+	char *name;
+};
+
+struct wifi_eap_cipher_config {
+	/** Key management type string. */
+	char *key_mgmt;
+	/** OpenSSL cipher string. */
+	char *openssl_ciphers;
+	/** Group cipher cipher string. */
+	char *group_cipher;
+	/** Pairwise_cipher cipher string. */
+	char *pairwise_cipher;
+	/** Group management cipher string. */
+	char *group_mgmt_cipher;
+	/** Used to confiure TLS features. */
+	char *tls_flags;
+};
+
+struct wifi_eap_config {
+	/**  Security type. */
+	unsigned int type;
+	/** EPA method type of phase1. */
+	enum wifi_eap_type eap_type_phase1;
+	/** EPA method type of phase2. */
+	enum wifi_eap_type eap_type_phase2;
+	/** EPA method string. */
+	char *method;
+	/** Phase2 setting string. */
+	char *phase2;
+};
+
 /** Helper function to get user-friendly security type name. */
 const char *wifi_security_txt(enum wifi_security_type security);
 

include/zephyr/net/wifi_mgmt.h

@@ -466,12 +466,28 @@ struct wifi_connect_req_params {
 	int timeout;
 	/** anonymous identity */
 	const uint8_t *anon_id;
-	/** anon_id length */
+	/** anon_id length, max 64 */
-	uint8_t aid_length; /* Max 64 */
+	uint8_t aid_length;
 	/** Private key passwd for enterprise mode */
 	const uint8_t *key_passwd;
-	/** Private key passwd length */
+	/** Private key passwd length, max 128 */
-	uint8_t key_passwd_length; /* Max 128 */
+	uint8_t key_passwd_length;
+	/** private key2 passwd */
+	const uint8_t *key2_passwd;
+	/** key2 passwd length, max 128 */
+	uint8_t key2_passwd_length;
+	/** suiteb or suiteb-192 */
+	uint8_t suiteb_type;
+	/** eap version */
+	uint8_t eap_ver;
+	/** Identity for EAP */
+	const uint8_t *eap_identity;
+	/** eap identity length, max 64 */
+	uint8_t eap_id_length;
+	/** Password string for EAP. */
+	const uint8_t *eap_password;
+	/** eap passwd length, max 128 */
+	uint8_t eap_passwd_length;
 };
 
 /** @brief Wi-Fi connect result codes. To be overlaid on top of \ref wifi_status
@@ -711,6 +727,18 @@ struct wifi_enterprise_creds_params {
 	uint8_t *client_key;
 	/** Client key length */
 	uint32_t client_key_len;
+	/** CA certification of phase2*/
+	uint8_t *ca_cert2;
+	/** Phase2 CA certification length */
+	uint32_t ca_cert2_len;
+	/** Client certification of phase2*/
+	uint8_t *client_cert2;
+	/** Phase2 Client certification length */
+	uint32_t client_cert2_len;
+	/** Client key of phase2*/
+	uint8_t *client_key2;
+	/** Phase2 Client key length */
+	uint32_t client_key2_len;
 };
 
 /** @brief Wi-Fi power save configuration */

modules/hostap/CMakeLists.txt

@@ -46,6 +46,7 @@ zephyr_library_compile_definitions(
 	CONFIG_SHA512
 	CONFIG_CTRL_IFACE_ZEPHYR
 	CONFIG_SUITEB192
+	CONFIG_SUITEB
 )
 
 
@@ -366,6 +367,14 @@ zephyr_library_compile_definitions_ifdef(CONFIG_EAP_MD5
         EAP_MD5
 )
 
+zephyr_library_sources_ifdef(CONFIG_EAP_GTC
+	${HOSTAP_SRC_BASE}/eap_peer/eap_gtc.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_GTC
+        EAP_GTC
+)
+
 zephyr_library_sources_ifdef(CONFIG_EAP_MSCHAPV2
 	${HOSTAP_SRC_BASE}/eap_peer/eap_mschapv2.c
 	${HOSTAP_SRC_BASE}/eap_peer/mschapv2.c

modules/hostap/Kconfig

@@ -190,6 +190,9 @@ config EAP_PEAP
 config EAP_MD5
 	bool "EAP-MD5 support"
 
+config EAP_GTC
+	bool "EAP-GTC support"
+
 config EAP_MSCHAPV2
 	bool "EAP-MSCHAPv2 support"
 
@@ -466,6 +469,9 @@ config SHA512
 config SUITEB192
 	bool
 
+config SUITEB
+	bool
+
 config WEP
 	bool
 	default y if WIFI_NM_WPA_SUPPLICANT_WEP

modules/hostap/src/supp_api.c

@@ -438,6 +438,100 @@ static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8
 
 	return 0;
 }
+
+static const struct wifi_cipher_desc ciphers[] = {
+	{WPA_CAPA_ENC_GCMP_256, "GCMP-256"},
+	{WPA_CAPA_ENC_CCMP, "CCMP"},
+	{WPA_CAPA_ENC_GCMP, "GCMP"},
+};
+
+static const struct wifi_cipher_desc ciphers_group_mgmt[] = {
+	{WPA_CAPA_ENC_BIP, "AES-128-CMAC"},
+	{WPA_CAPA_ENC_BIP_GMAC_128, "BIP-GMAC-128"},
+	{WPA_CAPA_ENC_BIP_GMAC_256, "BIP-GMAC-256"},
+};
+
+static struct wifi_eap_config eap_config[] = {
+	{WIFI_SECURITY_TYPE_EAP_TLS, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL},
+	{WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_MSCHAPV2, "PEAP",
+	 "auth=MSCHAPV2"},
+	{WIFI_SECURITY_TYPE_EAP_PEAP_GTC, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_GTC, "PEAP",
+	 "auth=GTC"},
+	{WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2, WIFI_EAP_TYPE_TTLS, WIFI_EAP_TYPE_NONE, "TTLS",
+	 "auth=MSCHAPV2"},
+	{WIFI_SECURITY_TYPE_EAP_PEAP_TLS, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_TLS, "PEAP",
+	 "auth=TLS"},
+	{WIFI_SECURITY_TYPE_EAP_TLS_SHA256, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL},
+};
+
+int process_cipher_config(struct wifi_connect_req_params *params,
+			  struct wifi_eap_cipher_config *cipher_config)
+{
+	unsigned int cipher_capa;
+	unsigned int gropu_mgmt_cipher_capa;
+	unsigned int index;
+
+	if (params->suiteb_type == WIFI_SUITEB) {
+		cipher_capa = WPA_CAPA_ENC_GCMP;
+		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_128;
+		cipher_config->key_mgmt = "WPA-EAP-SUITE-B";
+		cipher_config->openssl_ciphers = "SUITEB128";
+		cipher_config->tls_flags = "[SUITEB]";
+	} else if (params->suiteb_type == WIFI_SUITEB_192) {
+		cipher_capa = WPA_CAPA_ENC_GCMP_256;
+		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_256;
+		cipher_config->key_mgmt = "WPA-EAP-SUITE-B-192";
+		cipher_config->openssl_ciphers = "SUITEB192";
+		cipher_config->tls_flags = "[SUITEB]";
+	} else {
+		cipher_capa = WPA_CAPA_ENC_CCMP;
+		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP;
+		cipher_config->key_mgmt = "WPA-EAP";
+	}
+
+	if (params->security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
+		cipher_config->key_mgmt = "WPA-EAP-SHA256";
+	}
+
+	for (index = 0; index < ARRAY_SIZE(ciphers); index++) {
+		if (cipher_capa == ciphers[index].capa) {
+			cipher_config->group_cipher = ciphers[index].name;
+			cipher_config->pairwise_cipher = ciphers[index].name;
+			break;
+		}
+	}
+
+	if (index == ARRAY_SIZE(ciphers)) {
+		wpa_printf(MSG_ERROR, "Get ciphers error");
+		goto out;
+	}
+
+	for (index = 0; index < ARRAY_SIZE(ciphers_group_mgmt); index++) {
+		if (gropu_mgmt_cipher_capa == ciphers_group_mgmt[index].capa) {
+			cipher_config->group_mgmt_cipher = ciphers_group_mgmt[index].name;
+			break;
+		}
+	}
+
+	if (index == ARRAY_SIZE(ciphers_group_mgmt)) {
+		wpa_printf(MSG_ERROR, "Get group mgmt ciphers error");
+		goto out;
+	}
+
+	return 0;
+out:
+	return -EINVAL;
+}
+
+static int is_eap_valid_security(int security)
+{
+	return (security == WIFI_SECURITY_TYPE_EAP_TLS ||
+		    security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
+		    security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
+		    security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
+		    security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
+		    security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256);
+}
 #endif
 
 static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
@@ -451,6 +545,14 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 	uint8_t ssid_null_terminated[WIFI_SSID_MAX_LEN + 1];
 	uint8_t psk_null_terminated[WIFI_PSK_MAX_LEN + 1];
 	uint8_t sae_null_terminated[WIFI_SAE_PSWD_MAX_LEN + 1];
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	struct wifi_eap_cipher_config cipher_config = {NULL,   "DEFAULT:!EXP:!LOW", "CCMP",
+						       "CCMP", "AES-128-CMAC",      NULL};
+	char *method;
+	char phase1[128] = {0};
+	char *phase2 = NULL;
+	unsigned int index;
+#endif
 
 	if (!wpa_cli_cmd_v("remove_network all")) {
 		goto out;
@@ -634,9 +736,47 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				goto out;
 			}
 #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
-		} else if (params->security == WIFI_SECURITY_TYPE_EAP_TLS) {
+		} else if (is_eap_valid_security(params->security)) {
-			if (!wpa_cli_cmd_v("set_network %d key_mgmt WPA-EAP",
+			if (process_cipher_config(params, &cipher_config)) {
-					   resp.network_id)) {
+				goto out;
+			}
+
+			for (index = 0; index < ARRAY_SIZE(eap_config); index++) {
+				if (params->security == eap_config[index].type) {
+					method = eap_config[index].method;
+					phase2 = eap_config[index].phase2;
+					break;
+				}
+			}
+
+			if (index == ARRAY_SIZE(eap_config)) {
+				wpa_printf(MSG_ERROR, "Get eap method error with security type: %d",
+					   params->security);
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d key_mgmt %s", resp.network_id,
+					   cipher_config.key_mgmt)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set openssl_ciphers \"%s\"",
+					   cipher_config.openssl_ciphers)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d group %s", resp.network_id,
+					   cipher_config.group_cipher)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d pairwise %s", resp.network_id,
+					   cipher_config.pairwise_cipher)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d group_mgmt %s", resp.network_id,
+					   cipher_config.group_mgmt_cipher)) {
 				goto out;
 			}
 
@@ -645,11 +785,44 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				goto out;
 			}
 
-			if (!wpa_cli_cmd_v("set_network %d eap TLS",
+			if (!wpa_cli_cmd_v("set_network %d eap %s", resp.network_id, method)) {
-					   resp.network_id)) {
 				goto out;
 			}
 
+			if (params->security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
+			    params->security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
+			    params->security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) {
+				snprintk(phase1, sizeof(phase1),
+					 "peapver=%d peaplabel=0 crypto_binding=0",
+					 params->eap_ver);
+
+				if (!wpa_cli_cmd_v("set_network %d phase1 \"%s\"", resp.network_id,
+						   &phase1[0])) {
+					goto out;
+				}
+			}
+
+			if (phase2 != NULL) {
+				if (!wpa_cli_cmd_v("set_network %d phase2 \"%s\"", resp.network_id,
+						   phase2)) {
+					goto out;
+				}
+			}
+
+			if (params->eap_id_length > 0) {
+				if (!wpa_cli_cmd_v("set_network %d identity \"%s\"",
+						   resp.network_id, params->eap_identity)) {
+					goto out;
+				}
+			}
+
+			if (params->eap_passwd_length > 0) {
+				if (!wpa_cli_cmd_v("set_network %d password \"%s\"",
+						   resp.network_id, params->eap_password)) {
+					goto out;
+				}
+			}
+
 			if (!wpa_cli_cmd_v("set_network %d anonymous_identity \"%s\"",
 					   resp.network_id, params->anon_id)) {
 				goto out;
@@ -692,6 +865,44 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 					   resp.network_id, params->key_passwd)) {
 				goto out;
 			}
+
+			if (wpas_config_process_blob(wpa_s->conf, "ca_cert2",
+						     enterprise_creds.ca_cert2,
+						     enterprise_creds.ca_cert2_len)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d ca_cert2 \"blob://ca_cert2\"",
+					   resp.network_id)) {
+				goto out;
+			}
+
+			if (wpas_config_process_blob(wpa_s->conf, "client_cert2",
+						     enterprise_creds.client_cert2,
+						     enterprise_creds.client_cert2_len)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d client_cert2 \"blob://client_cert2\"",
+					   resp.network_id)) {
+				goto out;
+			}
+
+			if (wpas_config_process_blob(wpa_s->conf, "private_key2",
+						     enterprise_creds.client_key2,
+						     enterprise_creds.client_key2_len)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d private_key2 \"blob://private_key2\"",
+					   resp.network_id)) {
+				goto out;
+			}
+
+			if (!wpa_cli_cmd_v("set_network %d private_key2_passwd \"%s\"",
+					   resp.network_id, params->key2_passwd)) {
+				goto out;
+			}
 #endif
 		} else {
 			ret = -1;

modules/hostap/src/supp_main.h

@@ -15,7 +15,7 @@
 	!defined(CONFIG_EAP_PSK) && !defined(CONFIG_EAP_PAX) && \
 	!defined(CONFIG_EAP_SAKE) && !defined(CONFIG_EAP_GPSK) && \
 	!defined(CONFIG_EAP_PWD) && !defined(CONFIG_EAP_EKE) && \
-	!defined(CONFIG_EAP_IKEV2)
+	!defined(CONFIG_EAP_IKEV2 && !defined(CONFIG_EAP_GTC)
 #error "At least one of the following EAP methods need to be defined    \
 	CONFIG_EAP_TLS    \
 	CONFIG_EAP_TTLS   \
@@ -32,6 +32,7 @@
 	CONFIG_EAP_IKEV2   \
 	CONFIG_EAP_SIM   \
 	CONFIG_EAP_AKA   \
+	CONFIG_EAP_GTC   \
 	CONFIG_EAP_ALL "
 #endif /* EAP METHODS */
 #endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */

samples/net/wifi/boards/rd_rw612_bga.conf

@@ -28,6 +28,7 @@ CONFIG_ZVFS_OPEN_MAX=30
 CONFIG_SHELL_ARGC_MAX=48
 CONFIG_WIFI_SHELL_MAX_AP_STA=8
 CONFIG_WIFI_MGMT_AP_MAX_NUM_STA=8
+CONFIG_SHELL_CMD_BUFF_SIZE=512
 
 # net
 CONFIG_NET_L2_ETHERNET=y

subsys/net/l2/wifi/CMakeLists.txt

@@ -49,3 +49,21 @@ generate_inc_file_for_target(
     ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca.pem
     ${gen_dir}/ca.pem.inc
     )
+
+generate_inc_file_for_target(
+    app
+    ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client2.pem
+    ${gen_dir}/client2.pem.inc
+    )
+
+generate_inc_file_for_target(
+    app
+    ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client-key2.pem
+    ${gen_dir}/client-key2.pem.inc
+    )
+
+generate_inc_file_for_target(
+    app
+    ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca2.pem
+    ${gen_dir}/ca2.pem.inc
+    )

subsys/net/l2/wifi/wifi_shell.c

@@ -44,6 +44,18 @@ static const char client_key_test[] = {
 	#include <wifi_enterprise_test_certs/client-key.pem.inc>
 	'\0'
 };
+
+static const char ca_cert2_test[] = {
+	#include <wifi_enterprise_test_certs/ca2.pem.inc>
+	'\0'};
+
+static const char client_cert2_test[] = {
+	#include <wifi_enterprise_test_certs/client2.pem.inc>
+	'\0'};
+
+static const char client_key2_test[] = {
+	#include <wifi_enterprise_test_certs/client-key2.pem.inc>
+	'\0'};
 #endif
 
 #define WIFI_SHELL_MODULE "wifi"
@@ -103,6 +115,12 @@ static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *
 	params.client_cert_len = ARRAY_SIZE(client_cert_test);
 	params.client_key = (uint8_t *)client_key_test;
 	params.client_key_len = ARRAY_SIZE(client_key_test);
+	params.ca_cert2 = (uint8_t *)ca_cert2_test;
+	params.ca_cert2_len = ARRAY_SIZE(ca_cert2_test);
+	params.client_cert2 = (uint8_t *)client_cert2_test;
+	params.client_cert2_len = ARRAY_SIZE(client_cert2_test);
+	params.client_key2 = (uint8_t *)client_key2_test;
+	params.client_key2_len = ARRAY_SIZE(client_key2_test);
 
 	if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, &params, sizeof(params))) {
 		PR_WARNING("Set enterprise credentials failed\n");
@@ -503,7 +521,26 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 		{"channel", required_argument, 0, 'c'},
 		{"timeout", required_argument, 0, 't'},
 		{"anon-id", required_argument, 0, 'a'},
-		{"key-passwd", required_argument, 0, 'K'},
+		{"key1-pwd", required_argument, 0, 'K'},
+		{"key2-pwd", required_argument, 0, 'K'},
+		{"suiteb-type", required_argument, 0, 'S'},
+		{"eap-version", required_argument, 0, 'V'},
+		{"eap-id1", required_argument, 0, 'I'},
+		{"eap-id2", required_argument, 0, 'I'},
+		{"eap-id3", required_argument, 0, 'I'},
+		{"eap-id4", required_argument, 0, 'I'},
+		{"eap-id5", required_argument, 0, 'I'},
+		{"eap-id6", required_argument, 0, 'I'},
+		{"eap-id7", required_argument, 0, 'I'},
+		{"eap-id8", required_argument, 0, 'I'},
+		{"eap-pwd1", required_argument, 0, 'P'},
+		{"eap-pwd2", required_argument, 0, 'P'},
+		{"eap-pwd3", required_argument, 0, 'P'},
+		{"eap-pwd4", required_argument, 0, 'P'},
+		{"eap-pwd5", required_argument, 0, 'P'},
+		{"eap-pwd6", required_argument, 0, 'P'},
+		{"eap-pwd7", required_argument, 0, 'P'},
+		{"eap-pwd8", required_argument, 0, 'P'},
 		{"help", no_argument, 0, 'h'},
 		{0, 0, 0, 0}};
 	char *endptr;
@@ -519,14 +556,16 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 	char bands_str[MAX_BANDS_STR_LEN] = {0};
 	size_t offset = 0;
 	long channel;
+	int key_passwd_cnt = 0;
 
 	/* Defaults */
 	params->band = WIFI_FREQ_BAND_UNKNOWN;
 	params->channel = WIFI_CHANNEL_ANY;
 	params->security = WIFI_SECURITY_TYPE_NONE;
 	params->mfp = WIFI_MFP_OPTIONAL;
+	params->eap_ver = 1;
 
-	while ((opt = getopt_long(argc, argv, "s:p:k:w:b:c:m:t:a:K:h",
+	while ((opt = getopt_long(argc, argv, "s:p:k:e:w:b:c:m:t:a:K:S:V:I:P:h",
 				  long_options, &opt_index)) != -1) {
 		state = getopt_state_get();
 		switch (opt) {
@@ -640,10 +679,54 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			}
 			break;
 		case 'K':
-			params->key_passwd = optarg;
+			if (key_passwd_cnt >= 2) {
-			params->key_passwd_length = strlen(params->key_passwd);
+				PR_WARNING("too many key_passwd (max 2 key_passwd)\n");
-			if (params->key_passwd_length > WIFI_ENT_PSWD_MAX_LEN) {
+				return -EINVAL;
-				PR_WARNING("key_passwd too long (max %d characters)\n",
+			}
+
+			if (key_passwd_cnt == 0) {
+				params->key_passwd = optarg;
+				params->key_passwd_length = strlen(params->key_passwd);
+				if (params->key_passwd_length > WIFI_ENT_PSWD_MAX_LEN) {
+					PR_WARNING("key_passwd too long (max %d characters)\n",
+							WIFI_ENT_PSWD_MAX_LEN);
+					return -EINVAL;
+				}
+			} else if (key_passwd_cnt == 1) {
+				params->key2_passwd = optarg;
+				params->key2_passwd_length = strlen(params->key2_passwd);
+				if (params->key2_passwd_length > WIFI_ENT_PSWD_MAX_LEN) {
+					PR_WARNING("key2_passwd too long (max %d characters)\n",
+							WIFI_ENT_PSWD_MAX_LEN);
+					return -EINVAL;
+				}
+			}
+			key_passwd_cnt++;
+			break;
+		case 'S':
+			params->suiteb_type = atoi(optarg);
+			break;
+		case 'V':
+			params->eap_ver = atoi(optarg);
+			if (params->eap_ver != 0U && params->eap_ver != 1U) {
+				PR_WARNING("eap_ver error %d\n", params->eap_ver);
+				return -EINVAL;
+			}
+			break;
+		case 'I':
+			params->eap_identity = optarg;
+			params->eap_id_length = strlen(params->eap_identity);
+			if (params->eap_id_length > WIFI_ENT_IDENTITY_MAX_LEN) {
+				PR_WARNING("eap identity too long (max %d characters)\n",
+					    WIFI_ENT_IDENTITY_MAX_LEN);
+				return -EINVAL;
+			}
+			break;
+		case 'P':
+			params->eap_password = optarg;
+			params->eap_passwd_length = strlen(params->eap_password);
+			if (params->eap_passwd_length > WIFI_ENT_PSWD_MAX_LEN) {
+				PR_WARNING("eap password length too long (max %d characters)\n",
 					    WIFI_ENT_PSWD_MAX_LEN);
 				return -EINVAL;
 			}
@@ -710,7 +793,12 @@ static int cmd_wifi_connect(const struct shell *sh, size_t argc,
 
 #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	/* Load the enterprise credentials if needed */
-	if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS) {
+	if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
 		cmd_wifi_set_enterprise_creds(sh, iface);
 	}
 #endif
@@ -2997,16 +3085,23 @@ SHELL_SUBCMD_ADD((wifi), connect, &wifi_commands,
 		  "[-p, --psk]: Passphrase (valid only for secure SSIDs)\n"
 		  "[-k, --key-mgmt]: Key Management type (valid only for secure SSIDs)\n"
 		  "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
-		  " 7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
+		  "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
+		  "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2, 15: EAP-PEAP-TLS\n"
 		  "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n"
 		  ": 0:Disable, 1:Optional, 2:Required.\n"
 		  "[-m, --bssid]: MAC address of the AP (BSSID).\n"
 		  "[-t, --timeout]: Timeout for the connection attempt (in seconds).\n"
 		  "[-a, --anon-id]: Anonymous identity for enterprise mode.\n"
-		  "[-K, --key-passwd]: Private key passwd for enterprise mode.\n"
+		  "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n"
+		  "Private key passwd for enterprise mode. Default no password for private key.\n"
+		  "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n"
+		  "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n"
+		  "[-I, --eap-id1]: Client Identity. Default no eap identity.\n"
+		  "[-P, --eap-pwd1]: Client Password.\n"
+		  "Default no password for eap user.\n"
 		  "[-h, --help]: Print out the help for the connect command.\n",
 		  cmd_wifi_connect,
-		 2, 13);
+		 2, 19);
 
 SHELL_SUBCMD_ADD((wifi), disconnect, &wifi_commands,
 		 "Disconnect from the Wi-Fi AP.\n",